'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

+

{{expand}}

−

* [[Windows Memory Analysis]]

+

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

−

* [[Linux Memory Analysis]]

+

−

== OS-Independent Analysis ==

+

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination

+

of multiple prefetch files.

−

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

+

== Characteristics ==

+

{| class="wikitable"

+

|-

+

| <b>Integers</b>

+

| stored in little-endian

+

|-

+

| <b>Strings</b>

+

| Stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).

| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.

+

|-

+

| H6

+

|0x004C

+

|4

+

|DWORD

+

|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.

Various types of encryption keys can be extracted during memory analysis.

+

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

−

* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].

+

−

* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases

+

−

== See Also ==

+

=== Format version ===

−

* [[Memory Imaging]]

+

{| class="wikitable"

−

* [[:Tools:Memory Imaging|Memory Imaging Tools]]

+

|-

−

* [[:Tools:Memory Analysis|Memory Analysis Tools]]

+

! Value

+

! Windows version

+

|-

+

| 17 (0x11)

+

| Windows XP, Windows 2003

+

|-

+

| 23 (0x17)

+

| Windows Vista, Windows 7

+

|-

+

| 26 (0x1a)

+

| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)

The actual format and usage of these entry records is currently not known.

+

+

== Section C - Filename strings ==

+

This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).

+

+

At the end of the section there seems to be alignment padding that can contain remnant values.

+

+

== Section D - Volumes information (block) ==

+

+

Section D contains one or more subsections, each subsection refers to directories on a volume.

+

+

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

+

+

In this section, all offsets are assumed to be counted from the start of the D section.

+

+

=== Volume information ===

+

The structure of the volume information is version dependent.

+

+

==== Volume information - version 17 ====

+

The volume information – version 17 is 40 bytes in size and consists of:

Prefetch file size (or length) (sometimes referred to as End of File (EOF)).

H5

0x0010

60

USTR

The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.

H6

0x004C

4

DWORD

The prefetch hash. This hash value should correspond with the one in the prefetch file filename.

Section B

The actual format and usage of these entry records is currently not known.

Section C - Filename strings

This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).

At the end of the section there seems to be alignment padding that can contain remnant values.

Section D - Volumes information (block)

Section D contains one or more subsections, each subsection refers to directories on a volume.

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

In this section, all offsets are assumed to be counted from the start of the D section.

Volume information

The structure of the volume information is version dependent.

Volume information - version 17

The volume information – version 17 is 40 bytes in size and consists of: